PWB course discourages using tools like Nessus and Metasploit for exploting the lab machines. I am fine with it. My question is what should be the approach to find the vulnerabilities. Do you follow any pattern or just go through each service and test them manually? I appreciate if someone can give insights on how much time to spend on each host. The course examples use ftp fuzzing but I am not sure how to apply that technique to other services/ports that are open. Please share your thoughts.

Nmap version scanning would give you the most info the quickest. Then just research on exploit-db or the other vuln sites. If you run into problems with the results, you may need to dig a little deeper manually. For example, maybe the banner was changed and that's all nmap reviewed. In the case of a web server, try HTTPrint in addition to nmap.

Also, see if you can find another service that discloses information (i.e. snmp may show ports / processes).

Some may require manual review. Instead of there being a vuln with the web server, maybe you have to explore the web app (view source, etc.) to find the version of the app and see if it has any associated vulnerabilities with that.

I don't think you need to do any fuzzing unless you do the Extra Mile exercises in the exploitation module.

I did to arrive to the lab yet, but I think the fuzzing is good. I am doing the extra mile and you begin to understand how to manage the exploit and modify it. This is showing me a good understanding how to attack machines no just copy and paste tools.

blueaxis wrote:Thanks for sharing your views. I have seen people using the term "Low Hanging Fruit". Any tips how to identify these?

You're going to have to rely on your intuition and experience here. Think about what *obvious* problems could be present with a given service. Does it require authentication? Maybe blank, default, or easily-guessable credentials are being used. Does the it disclose it's name and version? Check Exploit DB, maybe you can get a root shell by simply providing a script with the target IP address.

low hanging fruit refers to easily hackable hosts. Often these hosts can be hacked using automated attacks like DBautopwn or simple password guessing (root/toor) for example. Other hosts that require more skills are considered harder. My advice is look for the low hanging fruit in the labs first, do not worry about skipping a few hosts because they seem too hard, go for the hosts that seem fun/challenging and have a crack at those.

CISSP, CEH, ECSA, OSCP, OSWP, eCPPT, eWAPT

earning my stripes appears to be a road i must travel alone...with a little help of EH.net

WHen i was stuck and did not know how to proceed, I found it useful to look at videos on youtube and securitytube.net to see how others had approached similar problems. g0tmi1k.blogspot.com has a lot of videos as well, although the machines being hacked are totally different, when you see the videos you understand the approach that is taken from info gathering to validating possible vulnerabilities to getting a shell and the final privilege escalation. Once you understand the approach, it should help you progress faster